Control Device and Method for the Control of Functions

ABSTRACT

The invention relates to a controller having an integration of different functions with which a respective microcontroller is associated. In accordance with the invention, at least one monitoring unit is provided which is implemented for a plurality of functions, with only the defective function being able to be switched off in the case of a defect recognition. The invention further relates to a method for the integrative control of different functions.

The invention relates to a controller in which different functions are integrated, with microcontrollers being associated with the different functions. The invention further relates to a method for the integrative control of different functions.

Such controllers and control methods can be used, for example, in the automotive industry, but also in other industrial areas.

Corresponding demands on availability and safety must be satisfied in the integration of functions into an electronic controller. One criterion for this is the degree of diagnosis and the defect tolerance. If two different functions are integrated in a controller, for example a braking system and a comfort system, the systems must achieve at least the same criteria as the separate systems. This means that, in the simplest case, the redundancies and error monitoring processes of both systems have to be taken over in full. No losses with respect to availability and defect tolerance may occur here.

This expresses itself as follows in an example: if, for example, both the braking system and the comfort system each have two microcontrollers, the microcontrollers present in the total system add up to four units. However, this is associated with substantial space requirements. Furthermore, the development risk increases due to the complexity of the arrangement. The costs for this arrangement are also comparatively high.

A controller known from DE 198 00 311 A1 includes two microcontrollers between which a synchronous comparison of the data takes place. On recognition of an inconsistency in one of the microcontrollers, the defect is recognised by the system and the total system is put into a safe state or is shut down.

So-called master-slave concepts are known from DE 10 2005 030 770 A1, for example. A check is made out diversely redundantly in these concepts. On an inconsistency, the system response is also moved to a safe state (e.g. prevented) or is shut down here.

It is disadvantageous in these previously known systems that, on the recognition of a defect, the complete system is completely shut down so that functions free of defects per se are also no longer functional.

As an alternative system, a controller is known from DE 10 2004 032 405 A1 which can be used for space and in which three or more microcontrollers are used. A majority decision taking is carried out in this controller. However, the system is made up of a number of components and is not suitable for application in motor vehicles due to its complex design. The high system costs also stand in the way of an application in motor vehicles.

It is therefore the object of the invention to provide a controller with a defect free system which has a less complicated design than previously known systems and which does not result in the complete shut down of the total system on a defect recognition.

It is additionally the object of the invention to provide a method for the integrative control of a plurality of functions in a defect-free system which is less complex and/or expensive in comparison with the prior art.

This object is solved in accordance with the invention by a controller in accordance with claim 1. With such a controller, in which different functions are integrated, a separate microcontroller is associated with each of the functions. In accordance with the invention, a monitoring unit is now provided which is implemented for a plurality of functions. In the case of a defect recognition in the controller, only the defective function is shut down in accordance with the present invention. It is thus ensured, despite the combination of a plurality of functions in one controller, that, on a corresponding defect recognition, the total controller does not immediately have to be shut down for all functions.

Preferred embodiments of the invention result from the subordinate claims depending on the main claim.

The monitoring unit can accordingly be arranged outside the microcontroller associated with the functions.

The microcontrollers advantageously check their functions mutually, with the checking units being arranged on the respective microcontroller. Reciprocal checking units can additionally also be provided outside the microcontrollers in addition to these integrated checking units.

It is of particular advantage if a diagnostic unit is additionally provided which carries out a dedicated error analysis and error treatment. In this case, on the occurrence of a corresponding defect in one of the functions, they can admittedly first be deactivated. On a corresponding diagnosis by the diagnostic unit, however, the defect may be recognised as remediable and may subsequently be remedied. The previously damaged function can thus be activated again after a corresponding defect remedy.

The diagnostic unit can advantageously be associated with the monitoring unit. In this respect, the diagnostic unit can be specifically associated with the microcontrollers of the functions.

In accordance with an advantageous embodiment variant of the invention, the first function relates to the field of the active safety of a vehicle and the second function relates to the field of the passive safety of a vehicle. In this respect, for example, the first function can be related to the braking or to the stability, whereas the second function is related to an occupant protection device, for example to an airbag or to a belt system.

In another advantageous embodiment of the invention, a plurality of functions from the field of the active safety of a vehicle are integrated. Alternatively to this, a plurality of functions from the field of the passive safety of a vehicle can also be integrated.

Finally, in accordance with a further advantageous embodiment of the invention, at least one function from the field of the telematics of a vehicle can be integrated with at least one function from the field of the passive safety of a vehicle and/or of the active safety of a vehicle.

The aforesaid object is also solved in accordance with the invention by a method for the integrative control of different functions in accordance with claim 13. A microcontroller is also associated with the respective individual functions in the method here. The respective functions are monitored by at least one monitoring unit which is implemented for a plurality of functions, with in the case of a defect recognition, the function in the controller only being reduced by the damaged function or damaged functions. The defective function can optionally advantageously be repaired by a diagnostic system and subsequently activated again.

Further features, details and advantages of the invention result from the embodiments shown in the drawing. There are shown:

FIG. 1: a schematic representation of the design of a controller in accordance with a first embodiment of the invention;

FIG. 2: a schematic representation of a second embodiment variant in accordance with the present invention;

FIG. 3: the embodiment variant in accordance with FIG. 1 in a first defect case;

FIG. 4: the embodiment variant in accordance with FIG. 1 in a second defect case;

FIG. 5: the embodiment variant in accordance with FIG. 1 in a third defect case;

FIG. 6: a further improved embodiment variant of the embodiment of the invention in accordance with FIG. 1; and

FIG. 7: an alternative embodiment of the embodiment of the invention in accordance with FIG. 6.

A controller is shown schematically in FIG. 1 in which different functions are respectively realised by a microcontroller. The two main functions which are each assigned to a separate microcontroller here are, on the one hand, the main function of braking and, on the other hand, the main function of comfort. In this respect, it is only one example taken from the plurality of possible mutually associated main functions. The main functions can theoretically also be identical. In the embodiment of FIG. 1, respective monitoring units are implemented in the microcontroller which respectively monitor the function of the adjacent microcontroller. The monitoring unit for the checking of the function “comfort” is thus integrated in the microcontroller with which the function “braking” is associated. It is indicated by the arrow in FIG. 1 that this monitoring unit for the checking of the “comfort” monitors the microcontroller “comfort”. Conversely, the monitoring unit for the checking of the function “braking” is integrated in the microcontroller “comfort”. It is illustrated by the corresponding arrow in FIG. 1 that this monitoring unit for the checking of the function “braking” monitors the microcontroller with which this function “braking” is associated. External monitoring units are additionally present in the controller in accordance with FIG. 1 which, on the one hand, serve the checking of the microcontroller “braking” (here again also shown by an arrow) or the checking of the microcontroller “comfort” (cf. here also the arrow). A redundant monitoring unit for the function is thus also realised here. The monitoring unit outside the two microcontrollers for “braking” and “control” takes place, for example, by a third microcontroller, an external system or another realisation such as an ASIC. The availability of the system can be increased by the “double monitoring” since the failure probability of the monitoring function is smaller than that of an individual monitoring unit.

FIG. 3 shows the principle of the controller in accordance with FIG. 1. It is here indicated by the representation of the lightning that a defect has occurred in the external monitoring unit. It is shown graphically in the illustration by the elliptical border of the system consisting of the two microcontrollers “braking” and “comfort” that the main functions of the controller can still be operated safely since at least one correct monitoring unit is still present for the respective main functions. Known methods which do not have to be explained in any more detail at this point can be made use of for the recognition of the defective monitoring unit.

The controller in accordance with FIG. 1 is again shown schematically in FIGS. 4 and 5. However, here a respective defect has occurred in one of the microcontrollers with which a main function (“braking” in FIG. 4 and “comfort” in FIG. 5) is associated.

It can here be recognised from the representation of the defectiveness of the respective function by the drawn lightning that the unit for the monitoring of the second main function is admittedly also potentially affected, but a secured operation of the second main function is still ensured. The respective elliptical circles designate the part of the controller which can still be further operated as a defect-free part system. In accordance with the invention, only that part system is therefore switched off which is affected by the defect.

For the special case not shown in FIGS. 4 and 5 that both main functions are identical, that is, for example, both main functions relate to “braking”, the system represents a so-called “fault tolerance”.

FIG. 2 shows schematically a controller in accordance with FIG. 1, with the monitoring units, however, being completely accommodated in at least one external unit.

The availability can also be increased here by the “double monitoring” since the failure probability of the monitoring function is smaller than that of a single monitoring unit.

Finally, FIGS. 6 and 7 in turn substantially systematically show a controller having the design as was generally shown in FIG. 1. Here, however, a diagnostic unit which is called a “diagnostic module” is additionally integrated and allows an analysis to be prepared on the occurrence of an error and the defective part system optionally to be integrated in the operation of the controller and to be put into function after a previous shutdown.

In the embodiment in accordance with FIG. 6, a respective “diagnostic module” is provided in the microcontrollers for the function “braking” and “comfort”. The intervention possibility of the diagnostic module in the respective system units is shown by the respective arrows. The diagnostic module of the microcontroller “comfort” can thus, as the respective arrows starting from it show, analyse all the units such as the separate microcontroller “comfort”, but also the microcontroller “braking”, the other diagnostic module or the four monitoring units and can optionally again put the defective units or part systems back into correct operation.

In the embodiment in accordance with FIG. 7, a diagnostic module is integrated in the external monitoring unit.

The availability of the controller can be increased even further based on the additional diagnosis and repair function of the diagnostic module. 

1. A controller system in which a plurality different functions are integrated, comprising a respective microcontroller being associated with each of the functions, at least one monitoring unit is implemented for a plurality of the functions and, in the event of a defect detection in the controller, only the at least one functions associated with the defective function is deactivated.
 2. A controller system in accordance with claim 1, further comprising in that the monitoring unit is arranged outside the microcontrollers associated with the functions.
 3. A controller system in accordance with claim 1, further comprising that the microcontrollers mutually check their functions, with the monitoring units being arranged on the respective microcontroller.
 4. A controller system in accordance with claim 1, further comprising that the microcontrollers mutually check their functions, with the monitoring units being located outside the microcontrollers.
 5. A controller system in accordance with claim 1, further comprising that a diagnostic unit is provided which can carry out an error analysis and an error processing.
 6. A controller system in accordance with claim 5, further comprising that the diagnostic unit is associated with the monitoring unit.
 7. A controller system in accordance with claim 6, further comprising that the diagnostic unit is associated with the microcontrollers of the functions.
 8. A controller system in accordance with claim 1, further comprising that a first function relates to the area of the active safety of a vehicle and a second function relates to the area of the passive safety of the vehicle.
 9. A controller system in accordance with claim 8, further comprising that the first function is related to braking or to driving stability; and that the second function is related to a passenger protection device.
 10. A controller in accordance with claim 1, further comprising that a plurality of functions from the area of the active safety of a vehicle are integrated.
 11. A controller in accordance with claim 1, further comprising that a plurality of functions from the area of the passive safety of a vehicle are integrated.
 12. A controller in accordance with claim 1, further comprising that at least one function from the area of telematics of a vehicle is integrated with at least one function from the area of the passive safety or active safety of a vehicle.
 13. A method for the integrative control of different functions with each of which a respective microcontroller is associated, comprising that the functions of at least one monitoring unit are monitored which is implemented for a plurality of functions, with, in the event of an error recognition in the controller, the function only being reduced by the damaged function or functions. 